Computer viruses, or simply “viruses,” are executable programs or procedures, often masquerading as legitimate files, messages or attachments that cause malicious and sometimes destructive results. More precisely, computer viruses include any form of self-replicating computer code which can be stored, disseminated, and directly or indirectly executed by unsuspecting clients. Viruses travel between machines over network connections or via infected media and can be executable code disguised as application programs, functions, macros, electronic mail (email) attachments, images, applets, and even hypertext links.
The earliest computer viruses infected boot sectors and files. Over time, computer viruses became increasingly sophisticated and diversified into various genre, including cavity, cluster, companion, direct action, encrypting, multipartite, mutating, polymorphic, overwriting, self-garbling, and stealth viruses, such as described in “Virus Information Library,” http://vil.mcafee.com/default.asp?, Networks Associates Technology, Inc., (2001), the disclosure of which is incorporated by reference. Macro viruses are presently the most popular form of virus. These viruses are written as scripts in macro programming languages, which are often included with email as innocuous-looking attachments.
Historically, anti-virus solutions have reflected the sophistication of the viruses being combated. The first anti-virus solutions were stand-alone programs for identifying and disabling viruses. Eventually, anti-virus solutions grew to include specialized functions and parameterized variables that could be stored in a data file. During operation, the data file was read by an anti-virus engine operating on a client computer. Finally, the specialized functions evolved into full-fledged anti-virus languages for defining virus scanning and cleaning, including removal and disablement, instructions.
Presently, most anti-virus companies store the anti-virus language code for each virus definition into data files. For efficiency, the source code is compiled into object code at the vendor site. The virus definitions, including the object code, are then stored into the data files. To speed virus detection, the virus definitions are organized for efficient retrieval often as unstructured binary data.
Anti-virus companies are continually discovering new computer viruses on a daily basis and must periodically distribute anti-virus software updates. Each update augments the data file with new computer virus definitions, as well as replacing or deleting old virus definitions. Over time, however, the size of the data files tend to become large and can take excessive amounts of time to download. Long download times are particularly problematic on low bandwidth connections or in corporate computing environments having a large user base.
Anti-virus software maintenance is labor intensive and time-consuming but critical to maintaining an effective defense to the threats posed by computer viruses, malware, and other bad content. Updated computer virus definitions and computer anti-virus application components must be installed and configured at each client system. Moreover, during an emergency, such as arising due to a new form of aggressive computer virus, computer virus definitions must be rapidly disseminated and installed to protect against the computer virus.
Disseminating computer virus definitions and anti-virus application components to each client separately consumes significant amounts of bandwidth and processing resources. The bandwidth consumed by a single update can downloaded patches and DATs and multicasts the updates to individual agents for updating and installation. The hierarchical structuring of the replicator-superagent-agent topology allows rapid dissemination of computer anti-virus application components without significant delay or bandwidth and resource consumption.
An embodiment provides a system and method for efficiently disseminating computer anti-virus system components. A repository of computer anti-virus system components cataloged in an on-line directory is maintained. The on-line directory is periodically accessed to identify those computer anti-virus system components in deployed clients requiring updating. The identified computer anti-virus system components are pulling and forwarded to select superagents within a defined network domain. The identified computer anti-virus system components are multicast to each deployed client.
A further embodiment provides a system and a method for providing automated low bandwidth updates of computer anti-virus application components. Components of one or more deployed computer anti-virus applications requiring updating are periodically identified. Each updated computer anti-virus application component is pulled from a component repository on a centralized component server by a replicator. Each out-of-date computer anti-virus application component is updated. The one or more updated computer anti-virus application components for the computer anti-virus applications are pushed to superagents. The updated computer anti-virus application components to the deployed computer anti-virus applications are multicast to agents.
Still other embodiments of the present invention will become readily apparent to those skilled in the art from the following detailed description, wherein is described embodiments of the invention by way of illustrating the best mode contemplated for carrying out the invention. As will be realized, the invention is capable of other and different embodiments and its several details are capable of modifications in various obvious respects, all without departing from the spirit and the scope of the present invention. Accordingly, the drawings and quickly become unmanageable as duplicate copies are routed to the various clients.
In the prior art, unnecessary data duplication and bandwidth consumption have been avoided through the use of tiered updating architectures. Each update originates at a centralized server which sends one copy of the updated computer virus definition to a single client. The client copies the updated computer virus definition before forwarding the complete definition on to a subsequent client. The updating sequence is repeated until every client has been updated in round-robin fashion. However, this approach is inherently serial and the update cycle can halt due to a single client failure. Thus, the reliance on a single client creates a bottleneck to the rapid dissemination of updates.
Therefore, there is a need for an approach to providing efficient dissemination of computer virus definitions and anti-virus application components. Preferably, such an approach should avoid unnecessary bandwidth consumption lost through duplicate downloads and wasted storage.
There is a further need for a rapid and responsive approach to computer anti-virus application component dissemination. Preferably, such an approach should use low bandwidth and be capable of sending ad hoc updates without notice. In addition, a repository of updates should be maintained for those clients that fail to receive periodic updates.